Adobe Flash Exploit embedded inside PDF file

We received a malicious PDF file last week, on analysis, we found that the malicious PDF file is different from recently analysed PDF exploits. This Adobe Flash zero-day exploit appears to be exploited in the wild. This exploit affects Adobe Reader 9.1.2 and earlier 9.x versions and Adobe Flash Player 9.0.159.0 and 10.0.22.87 and earlier 9.x and 10.x versions.

In this PDF file, there are two flash files embedded in it. One of them, fancyball.swf, doesn’t seem to do anything malicious, the other flash file save.swf (or oneoff.swf) uses action script to do heap spraying.

The shellcode downloads and executes 2 executable files named SUCHOST.exe and temp.exe. Both of the executable files are embedded inside the PDF file itself.